Professional Documents
Culture Documents
June 3, 2016
Our Track Record
15%
108.9
100.00
25%
13% 5%
81.4
9%
88.6
7%
94.6 Strategic Partnerships
77.6
25% 68.4
1% 54.8
50.00 43.7
DDoS OEM
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
SDN
2
What is DDoS Attack?
DDoS Attacks in Numbers
Did You Know?
Internet pipe and application servers are most popular DDoS attacks in 2015
Internet Pipe Firewall IPS/IDS Load Balancer/ADC Server Under Attack SQL Server
16
Did You Know?
Outage; 16%
17
From the Client’s Side…
9%
18%
23% 6%
~50% of Y2015 attacks were
16% Application Level (L7) attacks
16%
10%
19
Did You Know?
60% 57%
40%
Burst Attacks on the rise 36%
20%
In 2015 - 57% were
considered “Burst” attacks 4%
2% 1%
0%
1 hour or less 1 hour to 1 day 1 day to 1 week Over a week Constantly
20
Increased Attacks on Education and Hosting
Comparing to 2014
Most verticals stayed the same
Education and Hosting – increased
likelihood
Growing number of “help me DDoS my
school” requests
Motivations varies for Hosting
- Some target end customers
- Some target the hosting companies
2015 Change from 2014
21
Operational Application States
Data-At-Rest Protections
(Confidentiality)
Data-At-Endpoint
(Confidentiality)
Data-In-Transit (Confidentiality)
Network Infrastructure
Protection (Integrity)
Application Infrastructure
Protection (Integrity)
Volumetric Attacks
(Availability)
Non-Volumetric Resource
Attacks (Availability)
Radware Attack Mitigation System
(AMS)
Shortest time
Widest security coverage
to protection
Slide 25
Radware’s Security Solution Elements
On-Demand Cloud DDoS DoS protection Behavioral analysis IPS SSL protection WAF
26
DDoS Mitigation Solution
Scrubbing Cloud Protected Organization
NetFlow-based Attack
Detection
27
DDoS Mitigation Solution
Scrubbing Cloud Protected Organization
NetFlow-based Attack
Detection
28
A Hybrid Solution is Needed
On-Demand Always-On
29
Hybrid DDoS Mitigation Solution
Scrubbing Cloud Protected Organization
30
Hybrid DDoS Mitigation Solution
Scrubbing Cloud Protected Organization
31
Synchronized Operation - Example
Radware
Cloud
Scrubbing
Traffic
Attack baseline is isAttack
diverted
synchronized
DDoS toand scrubbed
thelarger
grows and in
perimeter thetocloud
and
saturate the freeing
Radware’s the
Cloud
Internet internet pipe
Scrubbing
pipe Center
Scrubbing center - over 2 Tbps capacity
FlownMon with DDoS Defender deployment scenario
Scrubbing Center
Dynamic Protection Policy
Anomaly Detection Deployment incl. Baselines via
Mitigation Enforcement Vision REST API
FlowMon with DDoSDefender
Access
q
Multi-patent technology
Radware Intellectual Property
Rich Security Patents Portfolio Secures Radware’s Attack Mitigation Solution
Dynamic Network SSL DDoS SIP Behavioral Application HTTP Behavioral Low & Slow
Protection Protection Protection Path Security Flood Behavioral Protection
(7,681,235) (13/ 425,978) (11/ 835,503) (7,882,555) (7,617,170) (7,607,170)
37
Multi-technology Protection
Multi-Vector Attacks Target All Layers of the Infrastructure
Internet Pipe Firewall IPS/IDS Load Balancer/ADC Server Under Attack SQL Server
Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
Multi-Technology Protection
Only a multi-technology solution can provide full protection from multi-vector threats
to prevent outage and minimize service-level degradation
Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
Clean traffic
DME Multi Purpose Multi Cores CPU’s
DDoS Mitigation Engine L7 Regex Acceleration ASIC
(160 Gbps)
(230 M PPS/ 300 Gbps)
Behavioral-based protections
Hardwarová architektura
41
Dedicated Hardware to Fight Attacks
Non-Radware Radware
240 Million
PPS Attack traffic
does not impact
Attack legitimate traffic
Traffic
1MPPS
2MPPS
10Gbps 160 Gbps
Device handles
Capacity Capacity
attack traffic on
x MPPS the expense of
Legitimate Legitimate
legitimate
Traffic Traffic
traffic!
+ Attack
Attack Alert!
50,0%
0,0%
SYN SYN-ACK ACK Data RST FIN-ACK
50,0%
0,0%
SYN SYN-ACK ACK Data RST FIN-ACK
q
IP based mitigation – non-Radware solutions
IP based mitigation
Legitimate
Baseline oftraffic is ineffective
normal traffic Attackers andSource
causes high
IP causing traffic increasefalse positive rate due to:
- Users behind CDN or Proxy
- Dynamic IP changing by Botnets
- User computers infected by botnets causing simultaneous Legitimate and Attack traffic
Network Behavior Analysis & RT Signature Technology
Signature
Narrowestparameters
filters
•Source/Destination
• Packet ID IP
Outbound
•• Source/Destination
Source IP Address Port
Traffic
•• Packet
Packet size
•• TTL
size RT Signatures
TTL (Time
(Time To
To Live)
Live)
• DNS Query
• Packet ID
• TCP sequence number
• More … (up to 20)
Protected Network
Network Behavior Analysis & RT Signature Technology
Mitigation optimization process
Closed feedback
Non-Radware Radware
51
How to identify attackers?
SYN SYN
SYN-ACK +Cookie SYN-ACK
ACK +Cookie ACK
Data Data
Real User
DefensePro
Target
Cookie is validated.
TCP Challenge passed - delayed binding begins
HTTP Redirect / Javascript - awaiting data packet with valid cookie
Slide 52
Challenge / response
53
Layered approach
Behavioral protections
Challenge response
Access control
Known vulnerabilities/tools
Signature Protection
Connection PPS Limit BL/WL
VISIBILITY
55
Summary
Hybrid
Multivector
NBA = IP agnostic!
DDoS: Unique SSL protection
Encrypted Attacks Mitigation
Cloud Organization
Alteon
Attack Mitigation
SSL User Device ADC
(Transparent)
Cloud Organization
Alteon
Attack Mitigation
SSL User Device ADC
(Transparent)
The transaction is identified as suspicious and redirected to Radware Alteon for decryption
Encrypted Attacks Mitigation
Cloud Organization
Alteon
Cloud Organization
Alteon
Attack Mitigation
OK
SSL User Device ADC
(Transparent)
Cloud Organization
Alteon
Attack Mitigation
SSL User Device ADC
(Transparent)
Rest of the session passes through the Attack Mitigation Device directly to the servers with zero latency
petrl@radware.com
Summary
Hybrid
Multivector
NBA = IP agnostic!